The ACL was working correctly only in a subset of cases, due to the code
overwriting cases when a client or target was found on later checks.
This fixes it and makes multiple targets/clients configurations work
properly.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From b6fd2b246280cf41ad03c7e5cd453030c86c5e4f Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 28 Feb 2012 10:47:18 -0500
Subject: [PATCH] ipa-kdb: fix delegation acl check
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
---
daemons/ipa-kdb/ipa_kdb_delegation.c |6 --
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
index 579a9f3157d260679898668432cf23789993a793..5ae5e0d9d090a92b622e926e0bff538d979a4936 100644
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
@@ -140,7 +140,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
switch (ret) {
case 0:
for (dres = deref_results; dres; dres = dres->next) {
-if (strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
+if (client_found == false &&
+strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
/* NOTE: client_missing is used to signal that the
* attribute was completely missing. This signals that
* ANY client is allowed to be impersonated.
@@ -148,7 +149,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
client_missing = false;
client_found = ipadb_match_member(client_princ, dres);
}
-if (strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
+if (target_found == false &&
+strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
target_found = ipadb_match_member(target_princ, dres);
}
}
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
